Is there a way to setup an encrypted partition with keys from the kernel key ring? The key-ring services support special keys called encrypted keys. These keys never exist outside kernel memory in an un-encrypted state. These encrypted keys are encrypted with other keys in the kernel keyring: user keys and trusted keys. Trusted keys are keys protected by a TPM SRK. http://lxr.free-electrons.com/source/Documentation/security/keys-trusted-encrypted.txt This would be something different from TPM-LUKS which protects keys in the TPM NVRAM. A possible advantage of using encrypted keys from the kernel key ring is that the key(s) used by dm-crypt never have to be exposed to user space in an unencrypted state. Currently, user space can see the encryption key of a dm-crypt partition in plain text by using the following command: dmsetup table --showkeys <device name> I am not entirely sure if that is an issue. Lastly, I just want to mention that trusted keys and encrypted keys are already used for ecryptfs: http://lxr.free-electrons.com/source/Documentation/security/keys-ecryptfs.txt Thanks, Safayet _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
